Netsclaer application firewall function test

Source: Internet
Author: User

The new version of critix netsclaer Server Load balancer provides the application firewall function. The official description is no different from the application firewall provided by other vendors and is a comprehensive defense. Let me test it.

Purpose: 1. application firewallSQL injection, XSS, and CRSF functional defense.

2. Enable the application firewall function, resulting in performance overhead.

 

Basic configuration process:

Enable application firewall:

Systems> Settings> Change basic features. Check Application Firewall.

Configure profiles:

Application Firewall> Profiles. One processing action must be configured.

By default, four profiles are available:

Appfw_block: Return to the specified page

Appfw_bypass: ignore-Allow request

Appfw_drop: discards the request and does not return any information.

Appfw_reset: resets the connection.

New policy:

Application Firewall> Policies must have one policy associated with profiles. The policy should be defined by yourself !!! No Default policy !!!

Application policy:

Application Firewall> Policies, select one policy, and click Global Bindings

Procedure:

1. Systems> Settings> Change basic features. Select Application Firewall.

2. Create: Application Firewall> Profiles> Add

Profile name: test Profile Type: Web Application (HTML)

3. Modify the new Profile configuration:

Because no block request is required for the test phase, you only need to record the hit log.

4. Create a Policy:

Application Firewall> Policies

About the Configuration Policy, netsclaer is too unfriendly. There is no instruction document and no template.

Here, I configure to capture POST and GET packets for all http requests.

5. Apply Policy

Application Firewall> Policies

Preliminary Test of Defense Capability

Find 1 XSS vulnerability page

Http: // ip/topic. php? Tid = 214607% 27and % 201 = 1 test SQL defense

Http: // ip/topic. php? Tid = 214607% 22% 3E % 3 CsCrIpT % 3 Ealert % 2868117% 29% 3C/sCrIpT % 3E test XSS defense

We can find that all the above simple probes are blocked. This is just a simple keyword capture. Because no data packet is block, the false positive rate does not need to be tested.

Performance overhead:

Test Tool AB:

Req concurrent CPU Mem management CPU

0 0 0.1% 26.87% 1%

1000 200 1%-2.5% 26.88% 0.7%

No policy applied'

1000 200 0.2% 26.88% 0.7%

Similar to: the main application's netsclaer 15000 connections, and the Configuration Policy's CPU performance overhead is too high. It is not recommended to enable this function.

Conclusion: netsclaer application firewall implements simple application firewall functions, which can defend against General initial detection, but has a high performance overhead. If it is used together with the application layer load balancing, it is not recommended to enable it.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.